Presentation is loading. Please wait.

Presentation is loading. Please wait.

ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT INFORMATION SECURITY MANAGEMENT WITH ISO 17799/BS 7799. Ajai K. Srivastava G.M. Marketing.

Published byJulia Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT INFORMATION SECURITY MANAGEMENT WITH ISO 17799/BS 7799. Ajai K. Srivastava G.M. Marketing."— Presentation transcript:

1 ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT INFORMATION SECURITY MANAGEMENT WITH ISO 17799/BS 7799. Ajai K. Srivastava G.M. Marketing BSI India

2 1. The Global Information Village 2. The Need for Protection 3. BS 7799– An Overview 4. Implementing an ISMS based on BS7799 5. Benefits of using BS7799 Presentation Outline

3 www.bsiindia.com 1.THE GLOBAL INFORMATION VILLAGE

4 www.bsiindia.com The Global Information Village

5 www.bsiindia.com The Paradigm Shift in the Nature of Information INDUSTRIAL ECONOMY  INFORMATION AS NOUN  Static:e.g. memo; financial report etc  Automation : An Idiot Savant – assisting in managing repetitive discrete steps INFORMATION ECONOMY  INFORMATION AS VERB  Dertouzos: “Information Work” e.g. Designing a building  Dominates the terrain; 50 to 60 % of an Industrialised country’s GNP

6 www.bsiindia.com THE DIGITAL NERVOUS SYSTEM DIGITAL NERVOUS SYSTEM Strategic Thinking Business Reflexes Basic Operations Customer Interaction BUSINESS @ THE SPEED OF THOUGHT

7 www.bsiindia.com INFORMATION FLOW IS THE LIFEBLOOD OF YOUR BUSINESS

8 www.bsiindia.com  Information tends to be the most undervalued asset a business has.  Information can directly affect the most valuable asset a business has IMAGE

9 www.bsiindia.com “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.” ISO/IEC 17799:2000

10 www.bsiindia.com 2.THE NEED FOR PROTECTION

11 www.bsiindia.com INFORMATION Information Security ATTACK

12 www.bsiindia.com Typical Technology Responses

13 www.bsiindia.com INFORMATION ATTACK Information Security

14 www.bsiindia.com INFORMATION ATTACK Information Security

15 www.bsiindia.com INFORMATION Information Security

16 www.bsiindia.com Management System – Building Blocks Core Processes Inputs Support Processes ManagementManagement ResourceResource Outputs Total Business Management System

17 www.bsiindia.com BusinessManagementSystemBusinessManagementSystem QualityQualityEnvironmentEnvironment Health and Safety Safety RiskRisk InformationSecurityInformationSecurity PeoplePeople ImprovementImprovement

18 www.bsiindia.com Business Management System Management System BSI - IMS BSI - IMSBusiness Management System Management System BSI - IMS BSI - IMS Risk BSI Risk Mgmt Risk BSI Risk Mgmt H & S OHSAS 18001 H & S OHSAS 18001 Improvement ISO 9004 Improvement ISO 9004 Customers BS 8600 Customers BS 8600 Info Sec BS 7799 Info Sec BS 7799 Environment ISO 14001 Environment ISO 14001 Quality ISO9001:2000 QS-9000 / TS 16949 AS9000 / AS9100 TL9000 Quality ISO9001:2000 QS-9000 / TS 16949 AS9000 / AS9100 TL9000

19 www.bsiindia.com ISO 9004 Performance Improvement ISO 9004 Performance Improvement All Interested Parties ISO 9004 Performance Improvement ISO 9004 Performance Improvement All Interested Parties ISO 17799 Information Security Management ISO 17799 Information Security Management OHSAS 18001 Health and Safety Management OHSAS 18001 Health and Safety Management ISO 14001 Environmental Management ISO 9001 Quality Management Stakeholders Involved Increasing Aspects Covered Management Systems & Standards

20 www.bsiindia.com Managing your Risks

21 www.bsiindia.com Information Security Assurance  3 different layers PRODUCT LEVEL ASSURANCE –e.g. Firewall- Product is fit for its Purpose PROCESS LEVEL ASSURANCE –e.g. Credit card Transactions- Robust Processes to protect interested parties MANAGEMENT SYSTEM LEVEL ASSURANCE –e.g ISMS- Systemic Proactive responses aligned to business objectives to protect ALL stakeholders :Management,Employees,Customers,Suppliers,Users, Regulatory etc.

22 www.bsiindia.com Commitment and Policy Planning Implementation and Operation Checking and Corrective Action Management Review Continual Improvement The Virtuous M S Spiral

23 www.bsiindia.com Information Security Management must be viewed as a strategic dimension of your business Managing Risks to Information Assets to:  Protect Brand  Retain Customers, and  Enhance Market Capitalization ISMS – Your Competitive Edge

24 www.bsiindia.com Critical Security Concerns VIRUSES –22% HACKERS – 21% R.A.CONTROLS-17% INTERNET SECURITY-17% DATA PRIVACY- 10 % The First Global Information Security Survey –KPMG 2002

25 www.bsiindia.com The First Global Information Security Survey – KPMG 2002 What is the damage QUANTIFIABLE The average direct loss of all breaches suffered by each organization is USD$108,000. GBP 30,000 INR 500,000

26 www.bsiindia.com What is the damage The Loss Of  Productivity  Recovery Costs  Customers  Market Capitalisation  Shareholder Value  Credibility INCALCULABLE

27 www.bsiindia.com  Myth 1: –Information Security is the concern and responsibility of the MIS/IT manager  Myth 2: –Security Threats from outsiders are the greatest source of risks  Myth 3: –Information Security is assured by safeguarding networks and the IT infrastructure  Myth 4: –Managing People issues is not as important  Myth 5: –Adopting latest technological solutions will increase security Common Myths About Information Security

28 www.bsiindia.com 3.BS 7799 – AN OVERVIEW

29 www.bsiindia.com What is Information Security  ISO 17799:2000 defines this as the preservation of: –Confidentiality Ensuring that information is accessible only to those authorized to have access –Integrity Safeguarding the accuracy and completeness of information and processing methods –Availability Ensuring that authorized users have access to information and associated assets when required ISO/IEC 17799:2000

30 www.bsiindia.com ISO/IEC 17799 ?  What it is:  An internationally recognized structured methodology dedicated to information security  A defined process to evaluate, implement, maintain, and manage information security  A comprehensive set of controls comprised of best practices in information security  Developed by industry for industry  What it is not:  A technical standard  Product or technology driven  An equipment evaluation methodology such as the Common Criteria/ISO 15408 )  Related to the "Generally Accepted System Security Principles," or GASSP  Related to the five-part "Guidelines for the Management of IT Security," or GMITS/ISO TR 13335

31 www.bsiindia.com What does it comprise ?  ISO/IEC 17799:2000 Code of Practice for Information Security  BS 7799-2:2002 Specification for information security management systems

32 www.bsiindia.com MMeasure Performance of the ISMS IIdentify Improvements in the ISMS and effectively implement them. TTake appropriate corrective & preventive action CCommunicate the results and actions and consult with all parties involved. RRevise the ISMS where necessary EEnsure that the revision achieve their intended objectives. BS 7799-2:2002 DDefine ISMS Scope and Policy DDefine a systematic approach to risk assessment IIdentify the risk AApply the systematic approach for assessing the risk IIdentify and Evaluate options for the treatment of risk. SSelect Control Objectives and Controls for the treatment of risks. Act EExecute Procedures to and Other Controls UUndertake regular reviews of the effectiveness of the ISMS RReview the level of residual risk and acceptable risk EExecute the management procedure R Record and report all actions and events Check IImplement a specific management program IImplement controls that have been selected MManage Operations MManage Resources IImplement Procedures and Other Control Processes Do Plan

33 www.bsiindia.com BS 7799 –10 Domains of Information Management System Development Access Controls Asset Classification Controls Information Security Policy Security Organisation Personnel Security Physical Security Continuity Planning Compliance Communications Management

34 www.bsiindia.com 4.IMPLEMENTING AN ISMS BASED ON BS 7799

35 www.bsiindia.com BS 7799Registrations Around the Globe

36 www.bsiindia.com BS 7799Registrations In India

37 www.bsiindia.com Measure/Analyse Progress INPUT Client Business Awareness OUTPUT BSI Certification Business Improvement Develop Management System Build Process BSIConsultantClient Building a Management System

38 www.bsiindia.com Initiating BS 7799 Implementation  Step 1 ISMS – Defining Policy & Organization Structure  Step 2 ISMS – Defining the Scope  Step 3 ISMS - Risk Assessment  Step 4 ISMS - Risk Management  Step 5 ISMS – Choosing Controls  Step 6 ISMS - Statement of Applicability

39 www.bsiindia.com Risk Assessment and Risk Management Process

40 www.bsiindia.com BS 7799 Implementation Security Organisation Classify Assets Information Security Policy Apply the Controls Operationalise Process Check Process Corrective Action Management Review Plan Act Check Do

41 www.bsiindia.com ISMS Documentation Procedure Work Instructions, checklists, forms, etc. Records Security Manual Policy, scope risk assessment, statement of applicability Describes processes – who, what, when, where Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements Management framework policies relating to BS 7799-2 Level 2 Level 3 Level 4 Level 1

42 www.bsiindia.com Critical Success Factors  Security policy that reflects business objectives  Implementation approach is consistent with company culture  Visible support and commitment from management  Good understanding of security requirements, risk assessment and risk management  Effective marketing of security to all managers and employees  Providing appropriate training and education  A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement

43 www.bsiindia.com 5.BENEFITS OF BS 7799

44 www.bsiindia.com Benefits of BS 7799 certification  Opportunity to identify and fix weaknesses  Senior Management take ownership of information Security  Provides confidence to trading partners and customers  Independent review of your information Security Management System

45 www.bsiindia.com Key Challenges facing executives –Enterprises must manage threats to Information security across many fields while attackers can choose to specialize in narrow fields of competencies –Fractured Corporate response to such focused attacks –To think precisely about the concept of threat in the security context of the organization –Executives must develop non traditional competencies in strategic risk management –Executives must manage ENTERPRISE SECURITY PROACTIVELY

46 Further Information Email: ajai.srivastava@bsiindia.com ajai.srivastava@bsiindia.com Tel: +11 2371 9002/3 Fax: +11 2373 9003

Download ppt "ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT INFORMATION SECURITY MANAGEMENT WITH ISO 17799/BS 7799. Ajai K. Srivastava G.M. Marketing."

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
The ISO 9002 Quality Assurance Management System

The ISO 9002 Quality Assurance Management System
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
The Information Systems Audit Process

The Information Systems Audit Process
Session 3 – Information Security Policies

Session 3 – Information Security Policies
THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.

THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.
4. Quality Management System (QMS)

4. Quality Management System (QMS)
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.
Fundamentals of ISO.

Fundamentals of ISO.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Key changes and transition process

Key changes and transition process
Key changes from OHSAS 18001:1999

Key changes from OHSAS 18001:1999
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google